We are under a heavy icmp flood attack. Tcpdump shows the result below. Altough we have blocked ICMP with iptables tcpdump still prints icmp packets. I've also attached iptables configuration and "top" result. Is there any thing I can do to completely stop icmp packets?

I've never used tcpdump so I'm a little lost looking at the output but are you sure that the ICMP redirects are not in response to your server trying to connect to, ping, or traceroute to 94.201.175.188?
–
joeqwertyOct 1 '12 at 2:30

4 Answers
4

Contact your ISP and give them this information. They'll need to drop the traffic on the backbone. Once the traffic hits your firewall, the resources are already being consumed on your end. The only way to stop this is to drop it on the backbone.

Actually, no, I won't. fragmentation-needed messages are covered by the rule for ICMP type 3 destination-unreachable. And there are perfectly valid reasons for not allowing just any kind of ICMP traffic into your LAN (or out of it for that matter).
–
Ansgar WiechersOct 1 '12 at 1:00

How is this going to help? If this is a deflection attack, then the ICMP traffic will already be filling the pipe as it hits the software firewall. This will cut down on some of the traffic, since the server will not respond, but the inbound traffic will still consume resources. This isn't going to solve anything against any decent sized attack.
–
MDMarraOct 1 '12 at 0:27

As per any half decent DoS attack, there is no need for the target system to respond for the attack to be effective. Blocking or dropping the traffic at the firewall simply means the firewall is now the target, instead of the server. The end result is the same.
–
John GardeniersOct 1 '12 at 6:19